🇺🇸English
VulnHunter - Security Vulnerability Detection & Analysis
A comprehensive security audit skill for identifying dangerous APIs, footgun patterns, error-prone configurations, and hunting for vulnerability variants across codebases. Inspired by Trail of Bits' sharp-edges and variant-analysis methodologies.
Overview
VulnHunter combines two powerful security analysis techniques:
- Sharp Edges Detection - Identify error-prone APIs, dangerous defaults, and footgun designs
- Variant Analysis - Find similar vulnerabilities across codebases using pattern-based analysis
When to Use VulnHunter
Activate this skill when:
- Conducting security code reviews or audits
- Reviewing third-party dependencies for dangerous patterns
- Hunting for variants of known vulnerabilities
- Assessing API design for security footguns
- Pre-audit reconnaissance of unfamiliar codebases
Sharp Edges Detection
Categories of Sharp Edges
1. Dangerous Default Configurations
Look for configurations that are insecure by default:
- CORS: Access-Control-Allow-Origin: *
- Debug modes enabled in production
- Default credentials or API keys
- Permissive file permissions (777, 666)
- SSL/TLS verification disabled
- Insecure deserialization settings
2. Error-Prone APIs
Memory Safety:
// Dangerous: No bounds checking
strcpy(), strcat(), sprintf(), gets()
memcpy() without size validation
// Safer alternatives
strncpy(), strncat(), snprintf(), fgets()
memcpy_s() with explicit size
Cryptography Footguns:
- ECB mode encryption
- MD5/SHA1 for security purposes
- Hardcoded IVs or salts
- Custom crypto implementations
- Random without CSPRNG (Math.random for tokens)
Concurrency Issues:
- Race conditions in file operations
- Time-of-check to time-of-use (TOCTOU)
- Double-checked locking anti-patterns
- Non-atomic increment/decrement operations
3. Language-Specific Footguns
JavaScript/TypeScript:
// Dangerous patterns
eval(), new Function(), setTimeout(string)
innerHTML, outerHTML, document.write()
Object.assign() for deep clone (shallow only!)
== instead of === (type coercion)
Python:
# Dangerous patterns
pickle.loads(untrusted) # RCE vector
yaml.load(untrusted) # Use safe_load
exec(), eval()
os.system(), subprocess with shell=True
Rust:
// Patterns requiring extra scrutiny
unsafe { }
.unwrap() in production code
mem::transmute()
raw pointer dereference
Solidity/Smart Contracts:
// High-risk patterns
tx.origin for authentication // Phishing vulnerable
delegatecall to untrusted // Storage collision
selfdestruct // Permanent destruction
block.timestamp for randomness // Miner manipulable
Sharp Edges Checklist
When reviewing code, systematically check for:
- Authentication bypasses - Missing auth checks, default credentials
- Authorization flaws - Privilege escalation, IDOR patterns
- Injection vectors - SQL, Command, Template, XSS
- Cryptographic weaknesses - Weak algorithms, improper key handling
- Resource exhaustion - Unbounded loops, memory allocation
- Race conditions - TOCTOU, concurrent state modification
- Information disclosure - Verbose errors, debug endpoints
- Deserialization - Untrusted data unmarshaling
- Path traversal - User-controlled file paths
- SSRF vectors - User-controlled URLs, redirects
Variant Analysis
The Variant Hunting Process
- Identify the Root Cause - Understand WHY a vulnerability exists
- Extract the Pattern - What code structure enables it?
- Generalize the Pattern - Create regex/AST patterns
- Search Codebase - Hunt for similar structures
- Validate Findings - Confirm each variant is exploitable
Pattern Extraction Templates
Template 1: Missing Validation Pattern
Original bug: User input flows to SQL query without sanitization
Pattern: [user_input] -> [sink_function] without [validation_function]
Search for:
- Direct database calls with string concatenation
- ORM raw query methods with user parameters
- Similar data flows in adjacent modules
Template 2: Authentication Bypass
Original bug: Endpoint missing auth middleware
Pattern: Route definition without auth decorator/middleware
Search for:
- Routes defined after the vulnerable one
- Similar API patterns in other modules
- Admin/internal endpoints
Template 3: Race Condition
Original bug: Check-then-act without atomicity
Pattern: if (check_condition()) { act_on_condition() }
Search for:
- File existence checks followed by file operations
- Permission checks followed by privileged actions
- Balance checks followed by transfers
Search Strategies
Grep-Based Search
# Find potential SQL injection
grep -rn "execute.*%s" --include="*.py"
grep -rn "query.*\+" --include="*.js"
# Find dangerous deserialize
grep -rn "pickle.loads\|yaml.load\|eval(" --include="*.py"
# Find command injection vectors
grep -rn "os.system\|subprocess.*shell=True" --include="*.py"
Semantic Search (AST-Based)
For more precise matching, use AST-based tools:
- Semgrep - Cross-language semantic grep
- CodeQL - GitHub's semantic analysis
- tree-sitter - Universal parser
Variant Analysis Report Template
## Variant Analysis Report
### Original Finding
- **ID**: FINDING-001
- **Severity**: High
- **Root Cause**: [Description]
- **Affected File**: path/to/file.ext:line
### Pattern Extracted
[Code pattern or regex]
### Variants Discovered
| # | Location | Severity | Status | Notes |
|---|----------|----------|--------|-------|
| 1 | file.ext:42 | High | Confirmed | Same root cause |
| 2 | other.ext:100 | Medium | Suspected | Needs validation |
### Recommendations
[Systematic fix approach]
Workflow
Phase 1: Reconnaissance
- Identify technology stack and languages
- Map entry points (APIs, CLI, file inputs)
- Locate authentication/authorization logic
- Find cryptographic operations
- Identify external integrations
Phase 2: Sharp Edges Scan
- Run through sharp edges checklist
- Focus on security-critical paths
- Document all suspicious patterns
- Cross-reference with known CVEs
Phase 3: Variant Hunting
- For each finding, extract pattern
- Search for variants systematically
- Validate each potential variant
- Assess aggregate risk
Phase 4: Reporting
- Consolidate findings by category
- Assign severity ratings
- Provide remediation guidance
- Highlight systemic issues
Integration with Static Analysis
Semgrep Rules for Common Patterns
# Example: Detect SQL injection in Python
rules:
- id: sql-injection-format
patterns:
- pattern: $CURSOR.execute($QUERY % ...)
message: "Potential SQL injection via string formatting"
severity: ERROR
languages: [python]
CodeQL Queries
// Find tainted data flowing to dangerous sinks
import python
import semmle.python.dataflow.TaintTracking
from DataFlow::PathNode source, DataFlow::PathNode sink
where TaintTracking::localTaint(source.getNode(), sink.getNode())
and sink.getNode().asExpr().(Call).getTarget().getName() = "execute"
select sink, source, sink, "Tainted input reaches SQL execution"
Examples
See the /examples folder for:
- Real-world sharp edges examples by language
- Variant analysis case studies
- Pattern extraction walkthroughs
Resources
resources/sharp-edges-catalog.md - Comprehensive catalog of dangerous patternsresources/variant-patterns.md - Common vulnerability pattern templatestemplates/variant-report.md - Report template for variant analysis
Guidelines
- Always verify - Don't report theoretical issues as confirmed vulnerabilities
- Context matters - A pattern may be safe in one context, dangerous in another
- Prioritize exploitability - Focus on patterns that lead to real impact
- Document assumptions - Note any threat model assumptions
- Systemic over point fixes - Recommend architectural improvements when patterns repeat
Skill Files
vulnhunter/
├── SKILL.md # This file
├── resources/
│ ├── sharp-edges-catalog.md # Categorized dangerous patterns
│ └── variant-patterns.md # Vulnerability pattern templates
├── examples/
│ ├── smart-contracts/ # Solidity/blockchain examples
│ ├── web-apps/ # Web application examples
│ └── native-code/ # C/C++/Rust examples
├── templates/
│ └── variant-report.md # Analysis report template
└── docs/
└── methodology.md # Detailed methodology guide
Weekly Installs
74
Repository
sendaifun/skills
GitHub Stars
68
First Seen
Jan 24, 2026
Security Audits
Gen Agent Trust HubPassSocketPassSnykPass
Installed on
codex70
gemini-cli68
opencode67
github-copilot65
amp64
kimi-cli64
